summaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
authorRoberto Sassu <roberto.sassu@huawei.com>2024-02-15 11:31:03 +0100
committerPaul Moore <paul@paul-moore.com>2024-02-15 23:43:44 -0500
commita7811e34d100acf24870eb949c5ae3e49dde18b9 (patch)
treefa9839a50b4601873ea5bb9fdb357202c3793894 /security
parent08abce60d63fb55f440c393f4508e99064f2fd91 (diff)
downloadlinux-stable-a7811e34d100acf24870eb949c5ae3e49dde18b9.tar.gz
linux-stable-a7811e34d100acf24870eb949c5ae3e49dde18b9.tar.bz2
linux-stable-a7811e34d100acf24870eb949c5ae3e49dde18b9.zip
security: Introduce inode_post_create_tmpfile hook
In preparation for moving IMA and EVM to the LSM infrastructure, introduce the inode_post_create_tmpfile hook. As temp files can be made persistent, treat new temp files like other new files, so that the file hash is calculated and stored in the security xattr. LSMs could also take some action after temp files have been created. The new hook cannot return an error and cannot cause the operation to be canceled. Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> Acked-by: Casey Schaufler <casey@schaufler-ca.com> Reviewed-by: Mimi Zohar <zohar@linux.ibm.com> Acked-by: Christian Brauner <brauner@kernel.org> Reviewed-by: Stefan Berger <stefanb@linux.ibm.com> Signed-off-by: Paul Moore <paul@paul-moore.com>
Diffstat (limited to 'security')
-rw-r--r--security/security.c15
1 files changed, 15 insertions, 0 deletions
diff --git a/security/security.c b/security/security.c
index ee4582e1d4d0..710db090aa8b 100644
--- a/security/security.c
+++ b/security/security.c
@@ -2014,6 +2014,21 @@ int security_inode_create(struct inode *dir, struct dentry *dentry,
EXPORT_SYMBOL_GPL(security_inode_create);
/**
+ * security_inode_post_create_tmpfile() - Update inode security of new tmpfile
+ * @idmap: idmap of the mount
+ * @inode: inode of the new tmpfile
+ *
+ * Update inode security data after a tmpfile has been created.
+ */
+void security_inode_post_create_tmpfile(struct mnt_idmap *idmap,
+ struct inode *inode)
+{
+ if (unlikely(IS_PRIVATE(inode)))
+ return;
+ call_void_hook(inode_post_create_tmpfile, idmap, inode);
+}
+
+/**
* security_inode_link() - Check if creating a hard link is allowed
* @old_dentry: existing file
* @dir: new parent directory